Cloud and Virtual Networking Concepts
Key Takeaways
- A VPC (AWS) or VNet (Azure) is a logically isolated cloud network with subnets, route tables, gateways, and security controls.
- Security groups are stateful and filter at the instance/interface level; network ACLs are stateless and filter at the subnet level.
- Internet gateways allow public routing, NAT gateways allow outbound-only from private subnets, and VPN/Direct-Connect gateways link to on-prem.
- NFV turns firewalls, routers, and load balancers into software; SDN separates the control plane from the data plane.
- SD-WAN does policy-based path selection across links; SASE adds cloud-delivered security (SWG, CASB, ZTNA, FWaaS) at the edge.
Cloud Reuses Familiar Network Concepts
Cloud networking applies the same ideas you already know - subnets, routes, gateways, firewalls, NAT, VPNs, load balancers, DNS - but the controls are software-defined and managed through a cloud control plane. Network+ is vendor-neutral, so translate each brand term into its network function.
| Concept | Vendor-neutral meaning | Common clue |
|---|---|---|
| VPC (AWS) / VNet (Azure) | Logically isolated cloud network | Cloud subnets and route tables |
| Subnet | IP range inside the cloud network | Public, private, app, or DB tier |
| Cloud gateway | Connects the virtual network outward | Internet, NAT, or VPN gateway |
| Security group | Stateful instance/interface filter | "Allow 443 from the load balancer" |
| Network ACL | Stateless subnet-level filter | Numbered allow/deny rule list |
| Load balancer | Distributes traffic across targets | Public front end or internal service |
The single most-tested distinction: security groups are stateful (return traffic is auto-allowed) while network ACLs are stateless (you must permit both directions explicitly), and they apply at different scopes - instance versus subnet.
VPC / VNet Design and Subnet Tiers
A cloud network spans multiple subnets across availability zones for fault tolerance. Public subnets have a route to an internet gateway for inbound/outbound internet; private subnets reach the internet only outbound via a NAT gateway or use private endpoints, and never accept unsolicited inbound internet traffic. Each subnet sits inside a non-overlapping CIDR block (for example a /16 VPC carved into /24 subnets).
| Tier | Subnet placement | Security focus |
|---|---|---|
| Web / load balancer | Public subnet | Only ports 80/443 from the internet |
| Application | Private subnet | Allow only from web/LB tier |
| Database | Private subnet | Allow only DB port from app tier |
| Management | Private + controlled path | MFA, VPN, bastion, ZTNA, logging |
Overlapping CIDR ranges are a classic blocker: two VPCs/VNets with the same address space cannot peer or route to each other, so plan non-overlapping subnets from the start.
Gateways and Cloud Connectivity
Each gateway type maps to one connectivity job. Knowing the job is enough for the exam.
| Gateway / connection | Purpose |
|---|---|
| Internet gateway | Public internet routing for resources with public paths |
| NAT gateway | Outbound-only internet for private subnet resources |
| VPN gateway | Encrypted IPsec tunnel between cloud and on-prem |
| Private circuit (Direct Connect / ExpressRoute) | Dedicated provider path, bypasses public internet |
| Transit gateway / hub | Central routing point between many VPCs/VNets |
| Peering | Direct private connectivity between two virtual networks |
The difference between an internet gateway (bidirectional public routing) and a NAT gateway (outbound only, blocks unsolicited inbound) is heavily tested. A private database server that needs OS patches uses NAT for outbound updates while staying unreachable from the internet.
NFV, SDN, SD-WAN, and SASE
Network function virtualization (NFV) moves firewalls, routers, load balancers, WAN optimizers, and IPS from dedicated appliances into virtual machines or cloud services. Software-defined networking (SDN) separates the control plane (decisions) from the data plane (forwarding) so a central controller programs behavior via APIs. SD-WAN uses software control to choose WAN paths per application across broadband, LTE/5G, and MPLS based on link health and policy.
SASE (Secure Access Service Edge) fuses WAN access with cloud-delivered security - secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), and firewall-as-a-service (FWaaS).
| Technology | Exam meaning | Best clue |
|---|---|---|
| NFV | Network appliance as software | Virtual firewall or virtual router |
| SDN | Centralized programmable control | Controller programs forwarding via API |
| SD-WAN | Policy-based WAN path selection | Picks broadband/LTE/MPLS per app |
| SASE | Cloud-delivered network + security edge | Remote users reach apps through a security edge |
Worked Scenarios and Cloud Routing Traps
Scenario 1: A three-tier cloud app has public load balancers, private app servers, and private databases. A correct security-group design: allow HTTPS (443) from the internet to the load balancer, allow the app port from the load balancer to app instances, and allow the database port only from app instances. Never open the database port to the internet.
Scenario 2: A company wants branch traffic to use whichever WAN circuit is healthy and to send SaaS traffic straight through cloud security instead of hairpinning through HQ. That is SD-WAN plus SASE: policy-based path selection with cloud-delivered enforcement.
| Symptom | Likely area to check |
|---|---|
| Private server cannot reach updates | NAT gateway or outbound route missing |
| Public web server unreachable | Public IP, internet-gateway route, security group |
| Database reachable from internet | Subnet route + security-group rules too open |
| Two VNets cannot communicate | Peering missing or overlapping CIDR |
| VPN tunnel up but no traffic | Routes, encryption domains, firewall rules |
Translate every brand-specific word into a network function - isolated network, subnet, route, gateway, filter, inspection, or policy controller - and the vendor-neutral exam answer becomes clear.
A cloud database should accept connections only from application servers in a private subnet. Which control most directly enforces that at the instance or interface level and automatically allows return traffic?
A private cloud server needs outbound internet access for patches but must not receive unsolicited inbound internet traffic. Which gateway concept fits?
Which statement correctly distinguishes a network ACL from a security group in a typical cloud platform?